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Abstract 

The automatic generation of test cases is an important issue for conformance testing of several 
critical systems. We present a new method for the derivation of test suites when the specification is 
modeled as a combined Finite State Machine (FSM). A combined FSM is obtained conjoining previ- 
ously tested submachines with newly added states. This new concept is used to describe a fault model 
suitable for incremental testing of new systems, or for retesting modified implementations. For this 
fault model, only the newly added or modified states need to be tested, thereby considerably reducing 
the size of the test suites. The new method is a generalization of the well-known W-method [4] and 
the G-method [2], but is scalable, and so it can be used to test FSMs with an arbitrarily large number 
of states. 

1 Introduction 

Test case generation for reactive and critical systems using formal methods has been widely studied 
[1, 2, 4, 6, 8, 1 1, 12, 14], In such methods, system requirements are described by means of mathematical 
models and formally specified functionalities. When using formal specification models, the automatic 
generation of adequate test cases rises as an important problem. Methods to automate the generation of 
test suites must be efficient, in terms of test suites size, and accurate, in terms of fault detection [3, 11]. 
When test suites are applied, the notion of conformance [5] can be used, so that if an implementation 
passes a test suite, its behavior is said to conform to the behavior extracted from the specification. 

Finite State Machines (FSMs) are the basic formalism in many methods that automate the generation 
of conformance test case suites. For surveys, see [1, 11, 14]. Among such methods, the W-method [4] 
is based on the notion of characterization sets, and provides full fault coverage for minimal, completely 
specified and deterministic FSMs. Several derivations have been proposed around it. In particular, the 
G-method [2] is a generalization of the W-method that does not depend on characterization sets. 

These methods assume that the system specification is treated in a monolithic way. However, in 
many situations, systems are modular, with their specifications being formed by several subsystems. If 
one such subsystem is also modeled by a FSM, we call it a submachine. Then, the full FSM model is a 
combination of several submachines, with the aid of a few new states and transitions. In this article, we 
propose a new approach to test combined FSMs when submachine implementations arc assumed correct. 

Testing using the combined FSM abstraction is useful in at least two situations. If a new system is 
modeled as a combination of several submachines, then we can implement and test each submachine in- 
dependently. Later, we can then test the combined machine using a smaller test suite. In this incremental 
testing approach, if an implementation does not pass a test suite, only a few states need to be retested, 
avoiding reapplying large test suites, as in the W-method. On the other hand, suppose that a given speci- 
fication is changed, then only the corresponding part of a former implementation gets modified. If we use 
methods like the W-method or the G-method, we would have to test the entire system again. However, if 
the specification is a combined machine, only the affected submachines need to be retested. 

There arc related works on retesting modified implementations. But they are restricted to certain 
types of errors and modifications, and require that implementations maintain the same number of states 
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as in the specification [7, 10]. In this paper, we do not restrict the types of errors in an implementation, 
neither how it is modified, and we allow implementations with more states than in the specification. 

In Section 2, we review the FSM model and related conventions. In Section 3, we describe equiv- 
alence relations of FSMs and introduce the concept of separators, a powerful tool to test FSMs. In 
Section 4, we formalize the notion of combined FSMs. In Section 5, we present the new test case gener- 
ation method, here named the C-method. In Section 6, we compare our method with the W-method, and 
discuss that the C-method is scalable, that is, it can be used to test FSMs with a large number of states. 

2 Basic definitions 

Let A be an alphabet. Then A* is the set of all finite sequences of symbols, or words, over A. The 
length of a word p £ A* will be denoted by |p|, and £ will denote the empty word. So, £ = 0. The 
concatenation, or juxtaposition, of two words a, /3 E A* will be indicated by a/3. 

2.1 Finite State Machines 

A FSM is a tuple M = (X,Y,S,so,8,?i), where: (i) X is a finite input alphabet, (ii) Y is a finite output 
alphabet, (iii) S is the set of states, (iv) so E S is the initial state, (v) 8 : X x S — » S is the transition 
function, and (vi) A : X x S — > Y is the output function. 

From now on we fix the notation M = (X,Y,S,so,8,X) and M' = (X,Y' ,S' ,s' 0 ,S' ,X'). Sequences of 
input symbols will be represented by words p E X*, and sequences of output symbols will be represented 
by words a E T* . The end state after the successive application of each input is given by the extended 
function 8 : X* x S — > S, and the output extended function is A : X* x S — > T*, defined by 

8(e,s) = s, 8(ap,s) = 8(p,8(a,s)), 

A (e,s) = £, A (ap,s) = A (a, 5) A (p, <5 (a, 5)). 

for all a E X, p E X* and s E S. 

Usually, a FSM is represented by a state diagram. Figure 1 illustrates two FSMs with initial states 5o 
and 54, respectively. We will refer to this figure through the paper. 

2.2 Concatenation of words and relative concatenation 

We adopt the usual notation of concatenation of two sets of words and denote by X„ the set of all input 
words with length at most n. For the sake of completeness, we give a definition below. 

Definition 1. Let A.B C X* and let n be a non-negative integer. Then, (i) AB = {a/3 |a E A, (3 E B}, (ii) 
x n = {p ex*\\p\= n], and (iii) X n = \J k=() X k . I 

Suppose that a set of input words, Z, must be applied to a set of states, S. To accomplish this, we 
generate test cases, by selecting a set of words, Q, to reach the states in S, and concatenating Q with Z. 
For example, if Z = {a}, S = {51,52} and we may reach 51 and 52 applying a and ab to 50, respectively, 
then we may select Q = {a.ab}, and generate test cases QZ = {aa.aba}. Now, suppose that specific 
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sets arc applied to distinct states, that is, Z\ = {a} is applied to \| , and Zi = { b } is applied to S 2 . In this 
case, the conventional concatenation is not useful. To address this problem, the relative concatenation 
was introduced [8], First, we need the following, where &(A) stands for the power set of a set A. 

Definition 2. Let M be a FSM and let IT a partition ofS. A state attribution is a function B : S 3 s (X*). 
A class attribution is a function B : II— » &(X*). I 

A class attribution induces a state attribution a in a natural way. If B is a class attribution over a 
partition II, then the induced state attribution, B, is defined by B(s) = B(C), for all s £ C and all C € IT. 

Definition 3. Let M be a FSM, A C X*, and B be a state attribution ofM. Given a state s, we define the 
s-relative concatenation of A and B as A <g) B = {a/3 \a E A,j3 € B(8(a,s))}. I 

Whenever s = so, we may drop the state index and simply write A® B. II' B is a class attribution, 
then we may also write A ® B to mean A ® B. The usual concatenation may be thought of as a particular 

S S 

case of the relative concatenation, as observed below. 

Observation 4. Let M be a FSM and A,B be sets of input word. Let also B be a state attribution such 
that B(s) = Bfor all s £ S. Then A® B = AB. I 

2.3 State Reachability 

Definition 5. Let M be a FSM. A state s is reachable if and only if there exists p £ X* such that s = 
S/p , So). M is connected if and only if every state is reachable. I 

When applying an input word p to a start state .v, if all we know is that the length of p is at most n, 
then the output fetched when applying p stalling at s will depend only on states that arc at a distance of 
at most n from s. Such states around s form a neighborhood, defined as follows. 

Definition 6. Let M be a FSM. 

1. The k-radius of a state s, denoted by rad(.vA), is the set of states that can be reached starting at s 
and using input words of length at most k. That is, r £ rad(s,k) if and only if there exist an input 
word p £ X* such that r = 8{p,s) and |p| < k. 

2. The k-neighborhood of a set of states C, denoted by nhli(C. k), is formed by the k-radiuses of states 

in C. That is, nbh(C,k) = U i€C rad(s,k). I 

2.4 Cover sets 

Cover sets arc used in many FSM test methods in order to guarantee that every state is reached from 
the initial state and that every transition in the model is exercised at least once. But, if we know that 
some states have already been tested, then we do not need to reach them or exercise their corresponding 
transitions. In this situation, only untested states must be covered, and partial cover sets arc sufficient. 

Definition 7. Let M be a FSM and C be a set of states. A set P C X* is a partial transition cover set for 
C if, for every state s £ C and every symbol a &X, there exist p.pa £ P such that s = S(p.so). I 

Whenever C is the set of all states, P is, in fact, a transition cover set as defined in [2, 4, 8]. A 
transition cover set may be obtained from a labeled tree for M [4], A procedure to construct the labeled 
free is given in [2], Although that is intended to cover the entire set of states, one can modify this 
procedure in a straightforward way in order to obtain a partial cover set. 

3 State equivalence and state separators 

In this section, we define state equivalences and introduce the essential notion of a separator. 
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3.1 State equivalence 

Definition 8. Let M and M' be two FSMs over the same input alphabet , X, and let s and s' be states of 
M and M' , respectively. 

1. Let p € X*. We say that s is p-equivalent to s' ifX(p.s) = A'(p,s r ). In this case, we write s ~p s'. 
Otherwise, s is p -distinguishable from s', and we write s f p s'. 

2. Let K C X*. We say that s is K-equivalent to s' if s is p-equivalent to s', for every p E K. In this 
case, we write s ~a' s'. Otherwise, s is K-distinguishable from s', and we write s fn s'. 

3. State s is equivalent to s' if s is p-equivalent to s' for every p G X*. In this case, we write s ~ s'. 

Other-wise, s is distinguishable from s', and we write s f s'. I 

In Figure 1, state .Vj in (a) is ^-distinguishable from state 54 in (b), so we write 54 ft,/, S 4 . 

We say that two FSMs, M and M\ arc equivalent, if s p ~ s' () . So, we say that a FSM coiTectly 
implements another FSM if the initial states of the corresponding machines arc equivalent. 

If M and M' arc the same machine, the definition above can be taken as specifying equivalence 
relations over sets of states C C .S'. In this case, for a set of input words SCI*, the relation ~ /s > induces 
a partition of the states in C. We denote such partition by [C/R]. For example, in Figure 1(a), with 
C = {so,sij V2 , V3 } , R = {aaaa} induces the partition [C/R] = {{vo} , {vi } , {^2 , V3}}. 

The number of pairwise distinguishable states of a FSM is called its index, as defined below. 

Definition 9. Let M be a FSM and C be a set of states. The number of equivalence classes induced by 
the ~ relation over C is denoted by l(C). The index ofM is l(S). If l(S) = |S|, then the machine is said 
to be minimal. I 

3.2 State separators 

From Definition 8 , two states s and r arc distinguishable if and only if there exists a word y with s fy r. 
Whenever this happens, we say that y separates s and r. We extend this notion, so that we can separate 
any two sets of states. In this case, we use a collection of input sequences instead of just one sequence. 

Definition 10. Let M be a FSM, let A, B be two subsets of states, not necessarily disjoint, and let R Cl* 
be a set of input words. R is a (A, B) -separator if and only if for each pair of distinguishable states s and 
r, such that s G A and r € B, we have s 96 r r. I 

To exemplify this new concept, consider machine (a) in Figure 1, and let A = {soAt}, B = { .vo . sj } 
and C = {so, S3}. The set of input sequences R = { ab } is a (A,Z?)-separator, but, since S2 S3, and 

S2 G B. S3 G C. R is not a (fi,C) -separator. Note that state so is a common element of A and B. 

Notice that, in this paper, we adopt a more flexible definition of characterization sets than that found 
in [9], In the latter, the FSM being minimal is a necessary condition for the existence of a characterization 
set, while in our definition, any FSM has a characterization set. The same happens with respect to 
identification sets as defined in [ 8 ]. We don’t even require a characterization set or an identification set 
to be minimal. Also, note that, in Definition 10, the sets A and B may have a nonempty intersection. This 
often happens in the case of characterization sets, which arc used to separate any pair of distinguishable 
states of the machine. Actually, we impose no restriction on what sets of states we may select. 

A number of special cases arc worth noticing: (i) A (.S’, .S’) -separator is a characterization set for 
M. (ii) An identification set for a state .v is any ({s},S) -separator. (iii) For a given set C C ,S, a ( C,C )- 
separator is also called a partial characterization set for C. (iv) If' R C A is a (A, fi) -separator such that 
r s, for every pair r G A, s G B, then R is also called a strict (A, fi) -separator. 

In Section 5, 1? is a separator that exemplifies a number of situations: it will be an identification set 
for a state .v, a partial characterization set for a set of states C, and a strict separator for sets of states A, B. 
Next, we point out some useful separator properties. 
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Observation 11. Consider a FSM, M. Let A, B,C and D be subsets of states, not necessarily disjoint, 
and let T and U be sets of input sequences. Let also r and s be states of M. Then, 

1. T is a ( A,B)-separator if and only ifT is a [B , A) -separator; 

2. IfT is a (A,B)-separator and U is a (C ,D)-separator, then T LJ U is a (AU C ,B C D)-separator; 

3. If T is a strict (A, B) -separator, r £ A and r s, then s 0 B; 

4. If T is a ( A,B)-separator ; r £ A. s G B and r ~7 s, then r ~ s; 

5. IfT is a ( A,B)-separator ; CCA and D C B. then T is a (C ,D)-separator. I 

We can use a separator to construct another one. With the next lemmas and corollary, we obtain a 
partial characterization set from a weaker separator. The proofs are available in [13]. 

Lemma 12. Let M be a FSM. Let C C S be a set of states, let B = nbh(C, 1) be its close neighborhood 
and let R be a (B,B\C)-separator such that R partitions C into at least n classes, that is, |[C//?]| >n. If 
there exist two distinguishable states r. s G C such that r s, then X R U R separates C in at least n + I 
classes, that is, \ [C/(XRUR)\ \ > n+ 1. I 

Suppose that we applied the last lemma and obtained a new separator X\R. If there exist two dis- 
tinguishable states in C that are A] A'-cqui valent, then we may use the le mm a again to obtain a stronger 
separator, XiR. In fact, the lemma may be used several times successively. We do this in the following. 

Lemma 13. Let M be a FSM. Let C C .S' be a set of states, let B = nbh(C, 1) be its close neighborhood 

and let R be a [B,B\C) -separator such that R partitions C into at least n classes, that is, |[C//?]| > n. If 

m is an upper bound on the number of ~ -equivalence classes in C, and 1 is an integer such that n< 1 < m, 
then X[- n R separates C in at least l classes, that is, \ [C /X/ _„/?] \>l. I 

Corollary 14. A m _ n R is a (C.C)-separator I 

This corollary can be used to obtain a partial characterization set for C. It generalizes a known result 
from Chow [4], demonstrated in [2], that gives us the ability to generate characterization sets. The latter 
result is, in fact, a particular case of Corollary 14, when C = S. 

A separator for two sets of states A and B can be obtained by selecting a minimal subset of a charac- 
terization set that is also a (A, fi) -separator. Standard methods to reduce a FSM and to obtain a character- 
ization set for it are known [9]. Although this can be used for any FSM, we may obtain shorter separators 
if we take into consideration the specificities of the FSM being tested. 

4 Combined Finite State Machines 

Many systems are actually aggregations of other, smaller, subsystems. When modeling such systems, 
it is usual to adopt the building block strategy for the development cycle, in which each subsystem is 
designed, implemented and tested separately. Though each individual paid of the system is tested and 
deemed correct, we have no guarantee that the integrated final implementation is also correct. In order 
to test such systems efficiently, we formalize below the concepts of combined FSMs. 

Definition 15. Let M = (X,Y,S, so, 8, X) be a FSM. A FSM N = (X ,Y ,S, s'o, 8, X) is called a submachine 
of M if and only ifX = X, Y C T, S C S and, for every a £ X and s £ S, we have 8(a,s ) = 8(a,s) and 
X(a,s) = X(a,s). I 

The definition ensures that a state of a subsystem behaves exactly in the same way, regardless of 
whether it is considered a state of a submachine or as new state of the combined machine. A combined 
FSM is formed by conjoining one or more submachines. That is, a FSM may be constructed by adding 
new states and new transitions to connect a set of submachines. Since each subsystem has only one entry 
point, every transition that enters a submachine should end in that submachine initial state. If, for specific 
needs, a submachine has more then one entry point, then we may consider several submachines, with the 
same set of states and the same transitions, but with different initial states. 
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Figure 2: A Combined Finite State Machine and a candidate implementation. 

Definition 16. Let M be a FSM and N be a set of submachines ofM. Define S\j = {s £ S\N G /V } as the 
set of all submachine states, and Sm = S\Sn as the set of additional states. Also, define In = {s'o\N £ N} 
as the set of all submachines initial states. Then, M is N -combined if and only if sq £ Sm and, for every 
pair of states s and r such that s ESm and r £ Sn, if there exists a £ A such that r = S (, a,s ), then r £ fsj. I 

In Figure 2(a), we illustrate a combined FSM. The set of submachines, N, is formed by the machines 
defined in Figure 1. For this machine, we have Sn = {soAt A2A3 A4}* = { so . sq } and Sm = {ss.so}- 

The initial state is S 5 £ Sm- We notice that, in fact, this machine satisfies the properties of Definition 16. 
For example, for states S 5 £ Sm and .v 0 £ Sn, since sq = 8 (b,ss), sq £ In- 

We shall use the notation introduced in Definitions 15 and 16. So, given a machine M and a set of 
submachines N, we have the sets Sn, Sm, In and submachines N in N. Moreover, decorations carry over 
uniformly, e.g., from a FSM M' and a set of submachines N', we have the sets S' M , S' N , and so forth. 

5 The C-method 

We present a new method, named the C-method, to test combined FSM specifications. We assume that 
an implementation is also a combined FSM in which each submachine is already tested and deemed 
correct. Also, the number of additional states is limited to a fixed upper bound. If these conditions are 
satisfied, then the C-method automatically yields a test case suite with full fault coverage. 

A submachine can be itself a combined FSM. It can, of course, also be tested using the C-method, 
giving rise to a recursive testing approach. Notice that the set of submachines may be empty, so one can 
always use the C-method to directly test FSM specifications. In this particular - case, using the C-method 
is equivalent to using the G-method [2]. Also, notice that it is necessary to test a submachine only once, 
and then implementations that use it can be tested several times at a reduced cost. Further, retesting is 
possible, so that, if the specification is changed, only the affected submachines need to be retested. Next, 
we formalize our fault model. Then, we describe the construction of the test suite. 

5.1 The fault model 

The system specification M is a combined FSM, obtained from a set N of submachines. We assume that 
M is connected, and that for every pair of states, s £ Sm and r £ Sn, we have s f r. Such assumptions 
are reasonable, because there is no meaning in having unreachable states in the specification, or in reim- 
plementing the behavior of an already available submachine state. We also assume that each submachine 
N £ N has a correct implementation N' , and denote the set of submachine implementations by N' . A 
system implementation M' is a combination of submachines from N' with up to m new states. The goal 
is to test M' against M. But, first, we need to describe the fault model. 
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Definition 17. Let M be a FSM specification and let N be a set of submachines of M such that M is 
N -combined. Let N' be a set ofFSMs and m be a positive integer. A FSM candidate implementation M' 
is (N 1 ,m) -combined if: (i) M' is N' -combined; (ii) i(Sm) < I^mI — m < (iH)f or every N £ N, there exists 
N' £ N' such that s'o ~ sfi; and ( iv) for every N' £ N', there exists N £ N such that sf ~ s'q. I 

Figure 2(b) illustrates a candidate implementation for the combined machine depicted in Figure 2(a). 
We claim that the former obeys Definition 17 with m = 4. Clearly, 2 = i(Sm) < \S' M \ < m = 4. Also, each 
state in Ay has a corresponding state in S' N . For instance, we have so £ Ay and r 4 £ S' N such that 50 ~ ry. 
Notice that each submachine implementation need not be minimal. For example, we have ~ r\o. 

5.2 Test suite generation 

The C-method is now presented. We first obtain some intermediate sets of input words, namely, a partial 
transition cover set P. and two separators R and T . We use R to determine a parameter n, while R and 
T arc used to define a state attribution Z>. Then, we use the relative concatenation operator to connect P 
and Z, thus obtaining the final test suite. Procedure 1 su mm arizes all steps. We expand on each step. 

The Cover Set P: It is a partial transition cover set for Sm with £ £ P. This set is used to reach every 
additional state in the specification, so that one can exercise the corresponding transitions. Since 
states in Ay are known to be already correctly implemented, there is no need to cover them. 

The Separator R: We select R as any ( Ay U Sm . Ay ) -separator. This set assumes several different roles, 
depending on the states we arc testing. For example, as a strict (.S'v/..S'y (-separator, R is used to 
distinguish submachine states from additional states. As a (7y, Ay)-separator, R may be used to 
identify initial states of submachines, and so on. 

The Parameter n: The relation induces partitions on M. Based on this, we define a parameter / by 
letting / = | [A /R] \ — | [Ay /R] \ . Similarly, induces a partition on the states of M’ . In this case, 
we have to choose a parameter f with the proviso that l’ < \ [S’ /R] \ — \ \S’ N /R\\. If no information 
about M 1 is available, we can always choose l’ = 0. Then, we set n = max { / , /'} . This parameter 
influences the size of the test suite, that is, the larger n is, the smaller the test suite will be. As 
suggested in the G-method [3], if knowledge is available about the implementation, then l’ may be 
set to larger values, thus giving rise to more succinct test suites. We notice that we always have 
m > n, otherwise no correct candidate implementation would be possible. 

The Separator T: It is used to complement R, whenever there is a need to identify states in neighbor- 
hoods of 7y. We define A = nbh(7y,m— n— 1) and select T to be any (A, Sy) -separator. Notice that 
in the case m = n, A contains no element, so we may define T as the empty set. 

The State attribution Z: We use T only for input words that reach states in Ay. Then, to avoid 
generating unnecessary test sequences, we use a class attribution given by %{ .Sy ) = TUR and 

T(J Sm ) = R- We then define a state attribution Z by letting Z(s) = A,„_„ <g) . for all s £ A. 

S 

The Test suite n: The test suite generated by C-method is computed as n = P® Z. 

The correctness of C-method is guaranteed by the following theorem. 

Theorem 18. Let M be a FSM specification and M’ be a FSM candidate implementation, as described 
in Subsection 5.1. Obtain a test suite 7t using Procedure 1. Then, so ~ 5 q if and only if sq k, k s'q. 

Proof sketch. The proof relies on Corollary 14. We use a weaker separator R to obtain a partial charac- 
terization set, Z = X m ^ n R, for the set of additional states S' M . We then use T to separate implementation 
states that are distinguishable only by sequences that reach the initial states of submachines. Once we 
have a partial characterization set for S’ M , we use arguments similar to those appealing in proofs involving 
the the G-method. We give a complete and detailed proof of the C-method correctness in [13]. I 
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Procedure 1: Test suite construction for C-method 

Input: M, in Output: n 
begin 

Obtain a partial transition cover set P for Sm such that e £ P ; 
Obtain a (Sm U/jv,>S;v)-separator R 
Define l < — | [S/R] \ - \ [S N /R] | ; 

Choose /' < | [S' /R] I ~ I [S' n /R] I ; 

Define n < — max{/',/} ; 

Define A <— nbh(/jv,m— n— 1) ; 

Obtain a (A, ^(-separator T ; 

Define X^(Sm) * — R and /(Sn) < — RUT ; 
foreach sSSdo 

Define Z(s) < — X m _„ (g> ; 

return % < — P ® Z ; 


6 Comparison and Discussion 

In this section, we briefly review the W-method and generate test suites for an example specification 
using W-method and C-method. For this example, we limit the number of sequences generated by each 
method and give the number of unique and prefix-free test cases [3], Then, we discuss the general case. 

6.1 The W-method 

The W-method applies to minimal, completely specified and deterministic FSMs. The set of implemen- 
tation candidates comprehends all faulty machines with up to mw states. Test suites for this fault model 
arc called wny-complete. The method depends on two sets, Pw and W . P\v is a transition cover set for S, 
and W is a characterization set for S. Then, an intermediate set Zw is defined as X mw _ nw W, where n\y is 
the number of specification states. The final test suite is given by K\y = PwZw- 

6.2 Example 

We will generate test suites for the specification depicted in Figure 2(a). The test suites arc intended for 
(N',m ) -combined candidate implementations, with m = 4 and where N' is illustrated in Figure 2(b). 

Using the W-method: The specification in Figure 2(a) has nw = 7 states and the candidate imple- 
mentation has |Sjy| =7 submachines states and up to m = 4 additional states. So the minimum 
value for mw we may choose is mw = 7 + 4 = 11. Next, we select a transition cover set, Pw, and 

then we choose a minimal characterization set, W. Finally the Zw set is computed. 

• Pw = {s^a^b^a^abjaaajaab^ba^bb^baa^abjbaaajbaab^aba^babb}-, 

• W = {aaaa,bb}\ 

• Zw — X mw — nw W — X4W . 

So, %w = PwZw and \nw\ < |7V||2f4||W| = 930. In fact, 7iw has 256 prefix-free words. 

Using the C-method: We select Pas a minimal subset of Pw that is a partial transition cover set for 
Sm- Then a (Sm LJ /,v, .S’ ; v)-scparat()r R is extracted from W . Notice that R is a weaker separator than 
W, since, for example, S 2 53 , but S 2 ^w + . Next, we first partition the states of M and obtain 
the value I. Since no specific information is available about M' we choose l' = 0. From those two 
values we obtain the parameter n. Proceeding, we define A as the (m—n— I )-ncighborhood of /,v, 

and then we select a (A.+y (-separator T from W . Finally, we calculate the state attribution Z\ 

• P = {e,a,b, aa,ab,aaa,aab,ba,bb}', 

• R = {aaaa}\ 

• [S/R] = {{M> W>{*2,S3},{M>W,{S6}}; 
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• [Sn/R\ = {{^o}, {^ 1 }, {^ 2 ,^ 3 }, {^ 4 }}; 

• l' =0,1= |[S/ / 7?]| — |[S^/ / /?]| = 2 and so n = max{/',/} = 2; 

• A = nbh(/ w ,m— n-l) = nbh({so,M}, 1) = {soAtA4}; 

• T = {aaao}; 

• X(S N ) = TUR = Rand S M ) = R', 

• Z>(s ) = X m _ n <S> df = X m ~„R = XiR for every s & S. 

S 

So, n = P <g) Zj = PX 2 R and |7r| < |P||X 2 ||/?| = 63. In fact, n has 20 prefix-free test cases. Also, 
the submachines of Figure 2(a) may have been tested previously using 24 test cases. So, one can 
use the C-method to test the entire specification using only 44 words. 

Comparing the results, the gains afforded by the C-method are evident. 

6.3 Discussion 

The difference between the two test suites obtained in the previous example is mainly due to two factors. 
First, in the C-method, we use a partial cover set, and so we can use a subset of the cover set used by 
W-method. Second, since m — n < mw — nw, the set X m _„ used by C-method may have exponentially 
less sequences than the set X mw _ nw used by W-method. This can be seen by the following theorem. The 
proof is available in [13]. 

Theorem 19. Let M be a minimal connected N -combined FSM. Assume that |X| > 2. Consider the fault 
model defined by all implementations M 1 such that M' is (N' ,m)-combined, |S^| = m and |5^| = k. Let 
K\\r be the test suite generated by the W-method, with Pw the set used as a transition cover set. Then, we 
can use the C-method and obtain a test suite K, associated with a partial transition cover set P obtained 
from Pw, in such a way that K C n w , and satisfying 

(i) ^ > 1 + ^yy, (U) N € 0(l{j + l) 2 \X\ m ~ l+l ), and (in) \n w \ € 0{{j+lf \X\ m ~ l+k -J +l ), 

where l = |5m| and j = |5^|. I 

This result allows us to compare the test suites generated by both the W-method and the C-method. 
Clearly, both test suites depend on the cover sets that arc used. The first claim in Theorem 19, estimates 
the ratio between the sizes of the cover sets. It indicates that the larger is the number of submachines 
states, j, compared to the number of additional states, /, the greater is the advantage of using C-method. 
This is expected, since, when using C-method, we do not need to test submachine states. In Theorem 19, 
the second claim gives a bound to the size of the test suites generated by the C-method. The factor l\X\ 
corresponds to the cover set P, the factor ( / + l) 2 is a rough limit on the size of separator R , and the factor 
\X\ m 1 comes from the set A m _/. This set is used to allow the test of implementations with more states 
than the specification. Claim (iii) at Theorem 19 concerns the W-method. We have a similar bound, 
except that there is an extra factor of \X\ k ~f which corresponds to the difference between the number of 
submachine states in the implementation, k, and in specification, j. Since submachines arc known to be 
correctly implemented, we do not need to deal with these states when using the C-method. This indicates 
that the C-method may generate test suites with exponentially less test cases than W-method. 

We also argue that the C-method is scalable. That is, unlike the W-method, which requires that 
specifications have a small number of states, with the C-method we can test systems with a high number 
of states, provided that the number of additional states is kept low. This is due the fact that, in spite of the 
specification being arbitrarily large, the size of the generated test suite is only polynomial on the number 
of submachines states. Compare this to the bound obtained for W-method. We conclude that scalability 
is a major advantage of the C-method when testing systems designed with a building block strategy. 
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7 Conclusions 

The W-method [4] is widely used to test critical systems modeled as FSMs. However, if the number of 
states is large, this method, and derivations from it, become impractical. Moreover, in several common 
situations, using the W-method is inefficient. Such cases include testing modified implementations with 
minor specifications changes and testing new systems modeled by the building block strategy. 

To address these issues, we introduced the concept of combined FSMs, thus capturing the situation 
when the specification is given by a composition of other, previously tested, submachines. With this new 
concept, we were able to represent the above situations in a specific fault model. This resulted in the 
C-method, which can generate smaller test suites for combined FSMs. 

We also introduced separators, generalizing the notion of characterization sets. Separators showed to 
be useful tools to prescribe the generation of test suites. By using separators, instead of characterization 
set, as in the W-method, we can distinguish only as few states as we need and, therefore, we may use 
smaller sets of distinguishing sequences, thereby reducing the size of the test suites beg generated. 

Further, although the C-method can always obtain test suites that arc subsets of those generated using 
W-method, our method may, in fact, generate exponentially less sequences than W-method. 

Finally, we showed that C-method is scalable, provided that the number of additional states is kept 
small. This means that we can test FSMs with an arbitrarily large number of states if we apply a building 
block strategy during system development and maintenance. 
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